Accept build jobs from all commiters of nixpkgs, but only on linux hosts
authorized -> trusted, since authorized means nothing now
This commit is contained in:
Graham Christensen
parent
1326fdbe33
commit
8c1badeab6
3 changed files with 49 additions and 15 deletions
|
|
@ -1,18 +1,30 @@
|
|||
|
||||
pub struct ACL {
|
||||
authorized_users: Vec<String>,
|
||||
trusted_users: Vec<String>,
|
||||
known_users: Vec<String>,
|
||||
}
|
||||
|
||||
impl ACL {
|
||||
pub fn new(authorized_users: Vec<String>) -> ACL {
|
||||
return ACL { authorized_users: authorized_users };
|
||||
pub fn new(trusted_users: Vec<String>, known_users: Vec<String>) -> ACL {
|
||||
return ACL {
|
||||
trusted_users: trusted_users,
|
||||
known_users: known_users,
|
||||
};
|
||||
}
|
||||
|
||||
pub fn can_build(&self, user: &str, repo: &str) -> bool {
|
||||
pub fn can_build_restricted(&self, user: &str, repo: &str) -> bool {
|
||||
if repo.to_lowercase() != "nixos/nixpkgs" {
|
||||
return false;
|
||||
}
|
||||
|
||||
return self.authorized_users.contains(&user.to_lowercase());
|
||||
return self.known_users.contains(&user.to_lowercase());
|
||||
}
|
||||
|
||||
pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool {
|
||||
if repo.to_lowercase() != "nixos/nixpkgs" {
|
||||
return false;
|
||||
}
|
||||
|
||||
return self.trusted_users.contains(&user.to_lowercase());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -55,7 +55,8 @@ pub struct LogStorage {
|
|||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub struct RunnerConfig {
|
||||
pub identity: String,
|
||||
pub authorized_users: Option<Vec<String>>,
|
||||
pub trusted_users: Option<Vec<String>>,
|
||||
pub known_users: Option<Vec<String>>,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
|
|
@ -69,9 +70,14 @@ impl Config {
|
|||
}
|
||||
|
||||
pub fn acl(&self) -> acl::ACL {
|
||||
return acl::ACL::new(self.runner.authorized_users.clone().expect(
|
||||
"fetching config's runner.authorized_users",
|
||||
));
|
||||
return acl::ACL::new(
|
||||
self.runner.trusted_users.clone().expect(
|
||||
"fetching config's runner.trusted_users",
|
||||
),
|
||||
self.runner.known_users.clone().expect(
|
||||
"fetching config's runner.known_users",
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
pub fn github(&self) -> Github {
|
||||
|
|
|
|||
|
|
@ -53,11 +53,25 @@ impl worker::SimpleWorker for GitHubCommentWorker {
|
|||
return vec![worker::Action::Ack];
|
||||
}
|
||||
|
||||
if !self.acl.can_build(
|
||||
let build_destinations: Vec<(Option<String>,Option<String>)>;
|
||||
|
||||
if self.acl.can_build_unrestricted(
|
||||
&job.comment.user.login,
|
||||
&job.repository.full_name,
|
||||
) {
|
||||
build_destinations = vec![
|
||||
(Some("build-jobs".to_owned()), None)
|
||||
];
|
||||
} else if self.acl.can_build_restricted(
|
||||
&job.comment.user.login,
|
||||
&job.repository.full_name,
|
||||
)
|
||||
{
|
||||
build_destinations = vec![
|
||||
(None, Some("build-inputs-x86_64-linux".to_owned())),
|
||||
(None, Some("build-inputs-aarch64-linux".to_owned())),
|
||||
];
|
||||
} else {
|
||||
println!(
|
||||
"ACL prohibits {} from building {:?} for {}",
|
||||
job.comment.user.login,
|
||||
|
|
@ -125,11 +139,13 @@ impl worker::SimpleWorker for GitHubCommentWorker {
|
|||
statusreport: Some((Some("build-results".to_owned()), None)),
|
||||
};
|
||||
|
||||
response.push(worker::publish_serde_action(
|
||||
Some("build-jobs".to_owned()),
|
||||
None,
|
||||
&msg,
|
||||
));
|
||||
for (exch, rk) in build_destinations.clone() {
|
||||
response.push(worker::publish_serde_action(
|
||||
exch,
|
||||
rk,
|
||||
&msg,
|
||||
));
|
||||
}
|
||||
}
|
||||
commentparser::Instruction::Eval => {
|
||||
let msg = massrebuildjob::MassRebuildJob {
|
||||
|
|
|
|||
Loading…
Reference in a new issue